不久前在公司里有人的电脑中毒了,然后还会自行分发 DHCP 给其他电脑,搞得不上不下。 结果用 Wireshark 找到凶手把它干掉了。
可是不可能要自己24小时开着 Wireshark 吧? 而且我又要离开公司了,有点放不下心。 上网找了一些 rogue dhcp detection 的资料,只是要简单的 rogue dhcp 侦测。结果都没有我要的,Windows 的是有 (按我参考)。
只好写个自己的版本,script 的流程是:
- 自造一个 .pcap 文件 (text2pcap)
- 网络嗅探 with filter (tcpdump)
- 从播之前制造的 .pcap 文件 (tcpreply)
- 把嗅探到的 网络封包 (packet) 处理+检测
以下的 script,基本上你只有几个变数(variable)要更改:
- tmp1file <-- 网络嗅探后第一个文件
- tmp2file <-- 加工处理,撤除一些没用的纵行(column)
- tmp3file <-- 加工处理,撤除重复的封包 (也就是来自一样的 DHCP 服务器的封包)
- thePHfile <-- packet 的 HEX 文件
- thePfile <-- 从HEX转换成.pcap的文件
- authoriseIP <-- 你 DHCP 服务器的 IP
- IF <-- 你 DHCP 服务器的网卡
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
#!/bin/bash
tmp1file='/tmp/dhcp-raw.tmp' # The initial sniff result
tmp2file='/tmp/dhcp-result.tmp' # The column removed result
tmp3file='/tmp/dhcp-uniq.tmp' # The result without duplicate packet
thePHfile='/tmp/DHCP-Request-6.txt' # The packet HEX file
thePfile='/tmp/DHCP-Request-6.pcap' # The packet .PCAP file
authoriseIP='192.168.0.1' # Your authorised DHCP server's IP
IF='eth0' # Your server's network interface
/bin/rm $tmp1file $tmp2file $tmp3file $thePHfile $thePfile 2&>/dev/null
function pcktRepyCapt { # Packet Replay & Capture
/usr/sbin/tcpdump -e -i eth0 "udp src port 67 && udp dst port 68" -nnq > $tmp1file 2>/dev/null & # Sniff UDP packet, we want source port is 67 & destination port is 68, which is a DHCP offer behavior, and also the task to background
i=5 # The packet replay interval
while [ $i -ge 1 ]; do
/bin/ping -c 2 127.0.0.1 >/dev/null # delay for 2 second before proceed to packet replay, just in case the packet replay too fast and those DHCP servers are not able to receive your packet
/usr/bin/tcpreplay --intf1=$IF $thePfile 2&>/dev/null # Replay packet
i=$(($i-1))
done
#/bin/kill `jobs -p` 2&>/dev/null # Terminate the previous background task
/bin/kill `ps -A|grep tcpdump|awk '{print $1}'` 2&>/dev/null # Terminate the previous background task
}
function processRaw { # Remove unwanted column
while read -r myArray; do
echo ${myArray:15}
done < $tmp1file
}
function queryUniq { # Sort the packet and remove duplicate line
while IFS=$',' read -r -a myVar; do # Read each line into array form and use the COMMA symbol as seperator
if [ -z "${myVar[2]}" ]; then
#IF EMPTY THEN STOP
break
fi
echo ${myVar[0]}, ${myVar[1]}, ${myVar[2]}, ${myVar[3]}
done < $tmp2file
}
function pcktAnalyse { # Check IP
while IFS=$',' read -r -a myVarr; do # Reach each line into array form and use the COMMA symbol as seperator
theIP=`echo ${myVarr[2]} | awk '{print $3}'` # Basically the IP is located at the third column of the third column in each line
theMAC=`echo ${myVarr[0]} | awk '{print $1}'` # And the ethernet address is located at the first column of the first column in each line
len2sub=`expr ${#theIP} - 3`
thesub=${theIP:0:$len2sub} # The extracted the IP come with the source port, remove for better display
if [ $thesub != "$authoriseIP" ]; then # IP comparison, if the IP is not the authorised IP, it will show the line below with ethernet & IP address
echo -e "There is non-authorised DHCP server in the network, MAC=$theMAC and IP=$thesub"
break
fi
done < $tmp3file
}
function pcktGen { # Create packet (.PCAP) file
srcMAC='aa bb cc dd ee ff' # Source Ethernet Address
dstMAC='ff ff ff ff ff ff' # Destination Address (broadcast address)
echo -e "0000 $dstMAC $srcMAC 08 00 45 00 .......PV..F..E.
0010 01 48 00 00 40 00 40 11 39 a6 00 00 00 00 ff ff .H..@.@.9.......
0020 ff ff 00 44 00 43 01 34 9c bb 01 01 06 00 16 6d ...D.C.4.......m
0030 44 66 00 04 00 00 00 00 00 00 00 00 00 00 00 00 Df..............
0040 00 00 00 00 00 00 00 50 56 97 00 46 00 00 00 00 .......PV..F....
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0110 00 00 00 00 00 00 63 82 53 63 35 01 01 3d 07 01 ......c.Sc5..=..
0120 00 50 56 97 00 46 39 02 05 dc 3c 0d 64 68 63 70 .PV..F9...<.dhcp
0130 63 64 20 34 2e 30 2e 31 35 37 0b 01 79 21 03 06 cd 4.0.157..y!..
0140 0f 1c 33 3a 3b 77 ff 00 00 00 00 00 00 00 00 00 ..3:;w..........
0150 00 00 00 00 00 00 ......"> $thePHfile
/usr/bin/text2pcap $thePHfile $thePfile 2&>/dev/null # This command convert the HEX file into PCAP file
}
pcktGen # Create packet (.PCAP) file
pcktRepyCapt # Packet Replay and Capture
processRaw > $tmp2file 2>/dev/null # Remove unwanted column
queryUniq | /usr/bin/sort -u > $tmp3file 2>/dev/null # Sort the packet and remove duplicate line
pcktAnalyse # Check IP
|
如果你任何疑问/有更好的方法,请email到我的电邮 nick_khor@hotmail.com
谢谢